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(54) Adaptive re-ordering of data packet filter rules 

(57) A packet data filter which stores ordered rules 
and sequentially applies the rules to received data pack- 
ets to determine the disposition of the data packet. The 
packet filter maintains a match count in memory which 
indicates the number of times each rule matched an in- 
coming data packet. Periodically, at the initiation of a us- . 
er, or based on operating parameters of the filter, the 
rules are automatically re-ordered based on the match 
count. As a result of the re-ordering, rules with higher 
match counts are moved earlier in the sequential eval- 
uation order and rules with lower match counts are 
moved later in the sequential evaluation order As such, 
rules which are more likely to match incoming data pack- 
ets are evaluated earlier, thus avoiding the evaluation 
of later rules. In order to prevent a re-ordering which 
would change the overall security policy of the packet 
filter, pairs of rules are compared to determine if they 
conflict (i.e., the swapping of the two rules would result 
in a change in the overall security policy). During re-or- 
dering, the swapping of conflicting rules is prevented. 
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Description 
Field of the Invention 

r^rL™ % hT™ 'T?T X ° PaCket ^ M ° re P articularl V. the present invention relates to adaptive 

re-ordenng of data packet filter rules to improve the performance of the filter while maintaining a security policy. 

Background of the Invention 

Sto aulTZ!Z7 beCOmin9 inCre8Sin9,y preva,ent For exam P |e - many companies have internal data net- 
Z ^Lh J = 2 ,nt t r ^ om P an y commun,cat,on. Such communication includes email, documents, voice, video and 

to J It t , TT* d8ta netW ° rkS ^ 9enera " y C ° nneCt6d ,0 " ex,ernal data network («* "temS 
to allow for the exchange of information between the internal and external networks. However, as a result of the inte 

connection of data networks, security has become a major concern. The unauthorized access to a Smjai/.^ 

on,r" canres ? it :r eiosso,va,uabie ^ 

SotS n6,WOrk and C ° mpUl,n9 SyStem ' resu,,ln 9 m '°ss of data and computer system crashes 

ITs l^^Z f ' pr ° 9rammed to im P'e™nt a security policy for a data network is called a firewall. Typically, fire- 
2 ewan mIZ if Stra e9l< r, P ° ints in the network such that all incoming and outgoing data traffic must pass though 
Zr r' L 8 n f WOrk traffiC iS trapPed and 6Xamined by the firewal1 to de termine if the traffic should 
2io! T P t 9 flreWa "- Th6re 3re V8ri0US Uniques tor implementing a firewall. One such implemen- 

pa ke ts an" e?h U e rd Pr09ramm f * imP,emem ° ^ ^ fllt8r - A data P3Cket f " ter ™ eS a » ^ ^a.a 
^n,l ft * r ° f a " OWS PaSSa9e ° f the data packet based on the co "tents of the data packet In one 
2Z T • h ST," 13 ° n rUl6S St ° red ln the da,a Packet fMter define which date packets are 

2s T a lT 9 h 3 h ? f 8 PaCkS,S Wi " bS blOCked ' EaCh S, ° red rule defines certain Parameters of data packet! 
ixll T destln f° n ) and includes the disposition of data packets which match these parameters For 

d na rU T ^ ,r ° m SOUfCe X Wi " bS b, ° cked ' while another nil. may indicate that 

^ZTc^ f£ r Z S ° UrCe H \ 10 de ! t,nati ° n Z Wi " be a " OWed ,0 PaSS ' The rU ' es are stored in «*» - the 

data packet filter and every data packet received by the firewall is tested against the rules in sequential order The first 

so tht rTe° Se Param6terS ma,Ch rSCeiVed " aPP ' ied ,0 th6 PaCkSt and the packet 15 < reated as boated S 

[0004] In such a rules based data packet filter, a system administrator must first define a security policy to be imple- 

Z TnZ oiST 8 "^ th6n t mUSt Pr ° 9ram ^ PaCkSt fNter With rU,6S Which Wi " -P'emenuh'at se ^ X 
One major problem with these types of firewalls is that sophisticated security policies require a large number of rules 

hes ru esTnT POli T S JT d3ta PaCkSl WhiCh P8SSeS ,hr0U9h ,he fi ™ a " ™ st «>* against 
these rules, the performance of the firewall degrades as the number of rules increases 

[0005] One known solution to the performance problem in a data packet filter firewall is to use a memory cache In 
Z TlZ f IT* ^ I" 3 ^^f^ a I riV6S ' ,hS rel6Vant P arame,ers < e 9 ^"ce and destination) of the data packet 
d sooSn S n T h , • 3fter PaCke ' fHter m,eS have been a PP |ied 10 the rec eived data packet the 
VS^i^^^T^ T S ° St ° red " aSSOCi8ted ^ the releVant Parameters of the reived data 

tath^h ,f f n ^ ' S reC6,Ved With P arame,ers which ar e the same as parameters previously stored 
Lnhan^ n h ^ ^ a5SOClaled diSP ° Siti ° n With ° Ut applyin9 al1 the to the data packet This 

two comoi,w? rm Hr ' n VI8W ° f f3Ct th3t f ° r C6rtain a PP |ica,io "s, ongoing communications will occur between 
municZn .lt 15 n ° ne6d ,0 Ch6Ck data Packet e >< ch anged between the computers during the com- 

munication session (i.e., connects). Thus, while this technique improves performance for data packets exchanged 
dunng connections, the technique does not improve performance for new connections exchanged 

K 6 LbTwwwf L S ^ a ' SO T implemen,ed on a client com P^er, for example a personal computer running World 
Wide Web (WWW) browsmg software (e.g., Microsoft Explorer or Netscape Navigator). Many WWW sites contain 
materia, which parents may deem unsuitable for children. As such, several companies offer bL^^bIS 
■mplements packet filters for blocking unsuitable material. These packet filters implement a security policy Zugh he 

saL n U f 35 ^ ab ° Ve AS nUmb6r ° f mleS inCreaSeS > these client based ^ fiSe» suVerTrom he 

same performance problems as described above. 

[0007] What is needed is a technique for improving the performance of a data packet filter as the number of rules 
required to implement a security policy increases. 

55 Summary of the Invention 

!^ 8] ri ^ deSCr ! b6d above ' a da,a P acket fi 'ter stores a plurality of ordered rules which are sequentially applied to 
receded data packets to implement a security policy. In accordance with the invention, the rules are au JSiJ re- 
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orderedtoimprovethepe^^ 

moved earlier in .he ordering, and rules ^^^^S^^ disposition of the packet, once a rule 
ordering. Since the firs, rule that matches 8 *J P^^L^ng the rules, data packets are matched 

matches a packet, the remain.ng rules need not be ° y ^ 9 roved 

against rules more quickly, and the ^on^ol tt^^kj^ ^ dufjng opera , on of the packet 

[0009] In one embodiment of the .nvent.on, the packe fitter dynam y ^ ^ reK)rdered based 

!i„er, L count of the number of times each rule «^^ a ^2 moved eSeMn the rules order. Such re-ordering is 
on these counts with the rules ^^^^^^S^m indication of future operation. Thus, by 
made on the premise that past h.story of the packet filter P™ adaptively reorder its rules based on 

the sequence of the rules plays a part m def.n.ng the secumy p y h fe undesirable and must 

swapping of ru.es may result in not ailowed because they resu.t in a 

be prevented. As such, rules are evaluated to *^' ne r f™ ^ js made by comparing pairs of rules to determ.ne 
change in the security policy, .none embody «J* ™ with each other if swapping the rules would 

£5 P Thre , ro7he e ; advantages of the mention wil, be apparent to those of ordinary sk.l, in the art by reference 
to the following detailed description and the accompanying draw.ngs. 

Rri»f Description nf the Drawings 

[0014] 

Fig. 3 shows the format of an exemplary data packet; 
Fig 4 shows an example of a rule set, 

Z I a SSEESiS. i" -** » p**- - •» p — i " vs,n,ton may be ""■""^ ■ 

nailed Description 

net J.k. such as a corpora,, wrano.. ,s "^J™?"^ exchanged bew..n imemM co.wo.k 

^rrjsT^^ss sk™ r- , .o - ~«* 

policy of the internal network 102. „ mn( , r i« ronfiaured computer, further details of which are shown 

p»iq The firewall 104 may be implemented by J^J^^^ta th. overall operation of the firewa.l 104. 
In Fig. 2. Fig. 2 shows firewal. 104 ~« * Processor 202 wh, h c**r ^ ^ ^ ^ „ 

Processor 202 is connected to ,n P u L^^omav be any type of well known computer storage device, .noperation, 
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oles. ,n various implementations. IhJ^Z^ ^^^J^T^^ °' ,UnC,i ° nal °° mpU,er Pr ° 9ram mod " 
source and object code. These modules will d£isU ?£f!S2 h T TkT C ° d6 ' ° bjeCt C ° de ' ° r a c °^binati 0 n of 
* a f,rewall would have other well known ^C^^l iSS^f ' ™ ° f 3 C ° mpU,er ^P'^^nting 

[001 7] The operation of firewall 1 04 is as^oltows Whl Jit 1 ! components are not shown in Fig. 2 for clarity. 
1 06, the data packet is received a S,pu, po 204 Th form^ " " T*"" * fireWa " 1 ° 4 ,r ° m eXlernal « 
packet 302 contains a header P^S^^^^S^!^ ** PaCket 302 is sh ™" « Fig. 3. Data 
protocol 308, source address 310, destinafion addres -3 1 2 ™ h "* r P° rtl0n 304 C ° ntainS the ,0lloWin 9 ™& 
'0 field 308 indicates the protocol with S^c^To!^ I T T ^ P ° rt 316 The P rat °<=°' 

may indicate that the data packet 3oT^bloZnl^T transm,tted - For e * a ™P'e> the protocol field 308 

310 indicates the IP addres's ^^7^^^,^^ ^ ^ ^ "™» ^ 
addresses are 32 bits, and are most commonlv Z 1 , ? 1 addressing ,s well known in data networking. IP 
255, and each separated by a do, ( e B S Z7tt ^.T "T™ 38 4 in,69erS ' each belw -n o'and 
destination of the data packet 302 The soured l oon 3U lin^TT" ™ ' M * S the IP address of »e 

number is an integer between 0 and 65 535 and D l^, ^ nUmber ° f the source com P"^ A port 

mach,ne. For exampie, web serve « a«^^£^"^f d T that runs on a particular 

the port number of the destination compute^eWSJS S £J J* 8 °' ^ des,lnation P°« 316 indicates 

data packet. The filter module 214 ^Z^SL^ST r h h M * ta 220 a9alnst the 

matches the data packet is the ru,e ^J^^^^^,!" °^ The firSt rule that 

.he data packet, there is no need to ap P , y ^^Ts " ^ °' ^ ^ a "*» mate - 

[0019] An example of a rule set which would be stored as n.l^ 5oo io • r- 

has a sequence number, which indicates the order n which hi ufes wil, beT 7 ? * ^ ^ " Rg 4 ' "** rU,e 
Each rule also has f le ,ds indicating protocol, source add res 893,061 *° *** PaCket 

an action. Each rule indicates the action to be taken wh en I ThI ! ? ' S ° UrCS P ° rt ' des,ina tion port, and 

the ru.e-s fields A packet is said to matchTh^u^rh^l^ ^ m3tCheS ,he in, °™ afon 

of values in the above described foteT^mT n^ Z T^ * fa " S Wl,hin ,he defined ™9™ 

protocol with a source address of 125 30 20 ^200 Tst l ZZ«r TV* ** *"* P3Cket ™ ce,Vfld USi " 9 ,he TCP 
felds of the packet. The v in a rule ffe^d 1^"^* B ked) ' ' eflardle88 of the conle ^ of the other 

that any packet receded using the TCP p o toed 2 a so^ce add^f ■"l™ 1 * Va ' Ue RU ' e nUmber 2 indicate ^ 
a destination address in the range laa^^Ti^SS^' WlW - 1M - 1M - 4to1te180 - 104 - 225 - 
destination port of 80 is to be allowed (i e passed to its ntl^ f t ' , S ° UrCe P ° rt the ran9e 1 024-65535, and a 
us,ng the TCP protocol from a souJ££^™*^\™ ^ PM r6Ceived 

of the values ,n the other fields. Finally, rule nuler 4 TJc^^^ re 9 ardles ^ 
applied ,n sequential order, rule number 4 will only * , i£ « noLZT T Tl * Si " Ce rUleS are 

The inclusion of a rule such as rule number 4 is common r V^ 5 1 " 3 ma,Ch ,he incomin 9 da,a P a ^et. 

packets are denied un.ess specifically 2wi As 3d ZlZVe lT"* ^ imP ' ementS 3 SeCUrity ^ thal a " 

indicates that the data packet is to be denied ,hTn 1 w f he ' nterna ' netWOrk 102 ' lf the ma ^hed rule 

•o Pass to the interna, network 1 02 ^ rSd tha a I'oual fZT* ^ ^ ^ ^ ™« iS thUS " 0t a,,owed 
necessarily be stored inte.naHy in data memory 220 fn^^^oSr^ ^ SeqUen, ' a ' ° fder ' ^ ^ 
sentation of the rules may be different from the loaical Lr7^» ! For va ™^ reasons, the internal repre- 

sentation, each rule win be assSeS wUh a 1^^^°"" ^ * H0WeVer ' r69ardleSS ° f the inte ^ al 
priority), such that the filter module 2utTa2J le^estoZ ° f ° fder ° f eValuation < e * 

[0021] As the number of stored rules 222 ncreases he oerformT r T< ^ " 3 9iVSn SSqUence - 
i. takes longer to apply ,he rules to each S^^^T^^ f ' reWa " 1 04 9eneral1 ^ because 
by re-ordering the stored rules 222 such that ruTes whirh a Thep ^ S f nt ,nven,lon solves »tis performance problem 
earlier in the sequential order (i.e. ass n S a lowerCen e^mbe f C ^ ^'"V ^ ^ ™ ^ 
because once a rule « matched, the remaining ru es e no 2T« \I 'T the P erforma "^ of the firewall 
apply those remaining rules. ,f rules which are'mo e Zv , ' ^i"!!^?" 8 ,h ? PrOCeSSin9 ,ime rec - uired * 



apply those remaining rules. ,f rules which are more .ike.To Z^^J^^ 



in the rules 
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sequence, performance of the finewall win 'j™^ ed wh|ch rules may be re<5rdere d without having 

[0022] However, pnor to re-order.ng the > ru es, ^mus i ds sequential application 

an affect on the overall security policy of the firewaH 1 ™ n °™*^™* r °™° in tne overall security policy. Such 
of the rules to received data packets, certain ^^^^J " u , e set oHig 4, rule number 4 could not be 
renderings must be prevented. For example, ref erring o ^^^^ fi J. Sjnce rule number 4 indicates 
swapped with rule 1 , because such a result in all data packets being denied. 

ZT^" - pass- Ther e,,, it is necessary to determine 

wh chiles Che re-ordered while still maintaining the securrty po icy of ^ irewa.L ^ 
[0 023] in order to determine which rules may be '?^^^^^ B *^S^L the swapping of 
conflict module analyzes the rule set 222 to d ^ m ™J^* h fl e l^ u es are sak to conflict with each other if at 
the pair would result in a change in the secun ty po I c^ Gene two are J ^ ^ ^ ^ ^ 

IXc^SS^ »i^-r. — con fl icts with a Ru,e-B is as follows: 

^ *am» a c ACTION of Rule-B then 

If ACTION of Rule -A is not the same as acixuw 

if the PROTOCOL of Rule-A does not intersect with the 
PROTOCOL OF Rule-B then 
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if the SOURCE ADDRESS of Rule-A does not intersect 
with the SOURCE ADDRESS of Rule-B then 

if the DESTINATION ADDRESS of Rule-A does not 
intersect with the DESTINATION ADDRESS of Rule- 
10 B then 

if the SOURCE PORT of Rule-A does not 
15 intersect with the SOURCE PORT of Rule-B 

then 



if the DESTINATION PORT of Rule-A 
does not intersect with the 
DESTINATION port of Rule-B then 

no conflict between Rule-A 
and Rule-B 

else 

else 

else 

else 

else 



conflict between Rule-A and Rule-B. 

else 



no conflict. 

[0024] 



« IP addresses the f,elds wilNntersec, t the^ s anv olrLn f ' Fo ' exam P |e - *»• aspect to fields, which contams 
containing the address range !23 30 20T00 XZT T^V-* Forexam P'e- ^ >P address field 

123.30.20.70 - 12 a30. 2 0,l^n? h e 30 a d2r ^3 T^TO "1^?^ ^ 
123.30.20.85 would fall within both ranaes Thu* in „Vt h 123.30 .20 .100. For example, the IP address 

different, and if the there is a ^ imersection in Z a l TTT^ " ,he aCtions °' lwo rules ™ 

so rules do no. conflict. Of course on Sled ^ art ! Z * TTV^ ^ ^ C ° nfMct ° therwise - *e 
between rules with a different set of fields Su*%„ «, th ^ ^ a ' 9 ° ri,hm 0rder l ° detect the c °^t 

there werean .ntersectio ^ flreisany n!er!ecl * rt^l W ° U ' d eaCh field " 6ach rule * deter ™* » 

[0025] „ is noted that the ^ coX^ute 2 18 s exLt h T' ^ tWO " dNf enmt ' then the rules c °<^- 
or deleted). The results of the ZLTn l ^ c^^^T^^ ^ ° ^ " «*« 

which indicates, for every possible pair of rui^ T. data mem0ry 220 as conflict da '* 226 
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c„,.,ns NO fcidicating ,hal rule 3 and rule 2 do n— J. a ~W 

SeeT^^ 

«, ma.ch incoming dala packels are placed Lde „ith Lerence ,o pas. 

,ion. Ihe decision as lo which rules are 

hislory ol Ih. lirowall 104. In one emhod.m.nt. th,s past h, lor, ss record °< ,04, ah aclivil, modulo 

an incoming pack.,. In accordance ^ ^^^^^ ,„ incoming paeke, This counl 
2,6 dynamically marta,ns a •»""<"* ^ ^J^^^''^ xhe laWs asso cia,es a counl w»h each rule Thus. 

is noted that the counts can periodically be reinitialized to zero^ minutes), may be initiated 

10027] The re-ordering of the rule set 222 may b^ 6 * 0 ™^^ ot the firewall 

matXd datl packets more often being placed earlier in the sequent ordering. 
[0028] One algorithm for swapping rules is as follows. 



25 For i = lto N 
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J = N 



While J > 0 



t match count for Rule J > match count for Rule J-l 



I 

then 



if Rule J does not conflict with Rule J-l then 
Swap Rule J with Rule J-l. 



45 j = J - 1 . 



50 



55 



This a.gorithm attempts to move the rules with a h,gher match count earner ^ur^* t 

As such, the firewa.1 is dynamically adaptable to ^njnfl op. a ."9 - - As - 9^ VP ^ 

a computer system is known as a demal of service attack, wh ch is a med at 9 ch ts gre 

ments One technique for mounting such an attack ,s ^^^^^^^ in the seqU en{ia. ordering 
Known to be b.ocked by the network's firewa,.. If m any rules before rejecting 

of rules, then every time such a packet ,s rece.ved by the f.rewal the f "*™ f ™ s dumber 100, then each time 
the packet For example, if the rule which will eventually reject the data packet 
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such a packet is received, the firewall must apply 1 00 rules nrinr to r*i^t;™ ^ , « 

an attacker may seriously .mpair the performand of the firewall ' 9 ^ * ^ SUCh PaCk * S ' 

3 ° f — *** aS f °"°- " « attacker 
increase quickly. FuZTsTe ,h " the T ^ ^ number 100 wil, 

firewall, then a denial of service attack wi l subsS , re<>rdenn9 of ru,es is the Performance of the 

configured to filter data pSk^^^TS^Z T?™ ^ ^ *" im P lemen,ed in a Pemonal computer 
is connected to the Ir^rt XTnS^ a d a, uoTonn ^7^' T COnfi 9 Uration ' a P—l computer 
it is often desirable to limit the InL^es which a user ofTn P " ? ^ the te ' eph ° ne netWork ' Since 
programs available which filter incomlna dat mScPt^, h * 1 ^ * 3CCeSS ' there are various filter 
may be implemented in 8uch?p^^, 9 c ^ l S^^! B n ed T T™ 9 ^ ° f the present inventio " 

computer 600. Persona, compu^^^^^^ invenlion is ^ Fig, 6 as personal 

a connection toa data network such as he Intern ^ n nn! COnnected to a modem 6 ™ which is used to establish 
604 which allows the coZ te^^^^ 

from such sites. In accordance wTth the in3on Z ' ! (WWW) S ' teS '° receive Nation 

which contains a re-order r^uZ f iter moSu L «^ t ^ f ' a ' S ° inC ' UdeS 3 Packet " lter P ro 9 ram mod ^ 606, 
a packet filter as descrfbedlov's cCTr^ "if m ° dU ' e ' ^ l ° im »'— 

conflict data, also as described above A " S data mSm0ry 608 includin 9 rules ' history, and 
graphical input device 618 e g molsef a d dtp a^Tint 6 °° 'T^ ** °° mpUtor 6 °° Via 61 4 ' 

600 may request information cm the ntTrn^ a ^ 3 US6r ° f C ° mputer 

order to filter data packets in accordance wrth s^Tj* fltt " m ° dute 606 wMI ° pera,e as describ ^ d above in 
performanceof the packet filter asTongassuJL h **" fUleS may be re ^ rdered to ^prove the 

[0032] « is noted that ne 

described above in connection with TeZZ tli££? ftp T " 3 """"" ^ to *** 

network router which is configured for data packet filtering \ ^ ' nVent '° n * irT1 P ,emented in * 

ESS Si^oS^^^nh^ as bein9 in eve ^ respect i,,ustrative and —p** 

but rather from the claims ^SSmIS^S^S^ T^l™ * * de,ermined from *e Detailed Description 
that the embodiments showrS TdeErSd^ 

that various modifications may be I^S^^IITT 1 ? 1 * ^ PM '™ enU °° and 
of the invention. y B &K "' ea ln Tne art wlthout departing from the scope and spirit 



Claims 
1 



automatically re-ordering said ordered rules. 

2. The method of Cairn 1 where.n sa ld step of reordering is based on prior activity of said data packet filter. 

3. The method of claim 2 further comprising the step of: 

wherein said step of re-ordering is based on said match data. 
4 ' llZarT^ * ^ ^ ^ ™ ^ M SUCh that ^ which are matched more often are aval- 
5. The method of claim 1 wherein said step of automatically reordering is performed periodically. 
6- The method of Cairn t wherein sa,d step of automatically re-ordering ,s performed when the performance of said 
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data packet filter falls below a threshold. 

7. The method of Cairn 1 wherein said step of re-ordering is performed by swapping pairs of r.u.es. said method further 
COmP d S e rermlnin S g e p P i of rules which can be swapped without changing said security po.icy. 

8. The method o, Cairn 7 wherein said step of re-ordering is performed such that said security po.icy is not changed. 

9. The method of Cairn 7 wherein said step of determining further comprises ,he step of determining the intersection 
10 of fields of pairs of said rules. 

10. A data packet filter for implementing a security policy comprising: 
a memorv for storing a plurality of ordered rules; 

a ST^dule for sequentially applying said rules to received data packets; and 
a re-ordering module for re-ordering said ordered rules. 

11 The data packet Alter of Cairn 1 0 wherein said memory further stores informal representing past activity o, said 
data packet filter and wherein said re-ordering is based on said past act,v„y. 

12 The data packet finer of Cairn 11 wherein said information represent^ past activity comprises match data indi- 
la^ng me number of times each of said rules is matched by a data packet. 

13 The data packet filter of claim 12 further comprising: 
an activity module for dynamically maintaining said match data. 

,S. Th a da 1 ap,eK,H to o,c B , m 1«,n^^^ 

without altering said security 

1 n,.* 9re c e ,v e dda,apac k e«bvse qu e„, al ,»a P p,»in gB plu ra l«»o,o,d sra d,u,e s , S a i d,u te sd 8 .Wn 9 a SC cu™, 

40 policy; and 

automatically re-ordering said ordered rules. 

18 The computer readab.e medium of Cairn 1 7 wherein said computer program instructions further comprise instruc- 

t,OPS T^Z^s based on prior activity of sa,d computer system. 
19. The computer readab.e medium o, Cairn 1 8 wherein said computer program instructions further comprise instruc- 

lions defining the steps of: 

dynamica.hr maintaining, during operation of said computer system, match data ind.cating the number of times 
each of said rules is matched by a data packet; and 
re-ordering said rules based on said match data. 

20 The computer readable medium of claim 1 9 wherein said computer program instructions further comprise instruc- 

li ° nS SSSnXSEut such that rules which are matched more often are app.ied earlier. 
21. The computer readable medium of claim 17 wherein said computer program instructions further comprise instruc- 
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20 



tions defining the step of: 

periodically automatically re-ordering said rules. 

22 " ^SSZ^r SUm ° f C ' aim 17 Wh6rein C ° mpU,er Pr ° 9ram ^er co mpri se instruc- 

automatically re-ordering said ru.es when the parlance of said computer system fall, below a thresho.d. 

23 " ^SSZS^^ 01 C ' aim 1 7 Wh9rein Sajd C ° mpUter Pr ° 9ram ^er comprise instruc- 

determining pairs of rules which can be swapped without changing said security policy. 

^^^e-ordering said rules by swapping on,y those rules which may be swapped without changing said security 

25 ' SnVdTnrgVh^rp'^r^" 1 ° f 23 WhSrein Sa,d C ° mpU,er ™™ tur.hr comprise instruc- 

.he ^S^S^XTX^ ^ ^ SW3PPed Wi,h ° Ut Chan9in9 Said ^ * 

26. A firewall for filtering data traffic between a firs, network and a second network comprising: 
an input port for receiving data packets; 

a memory storing a plurality of ordered 'rules defining a security policy of said firewall 
a fltor modulo for sequentially applying said ordered'rules to recced la 1^ and 
a re-order module for automatically re-ordering said plurality of ru.es " ' 

27. The firewall of claim 26 further comprising 

» 32 01 C ' aln " 30 <* *,sed on s a,<, ac, My Wor . 
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